Print Email PDF

Customize LDAP User and Group Membership Queries

IN THIS ARTICLE 

Outlines how to customize the schema used for LDAP user and group membership queries.

REQUIREMENTS

  • Cluster running Qumulo Core 2.11.0 or later
  • Command line (CLI) tools installed via API & Tools tab

PROCESS

With the release of version 2.11.0, you can now connect your cluster to a non-RFC2307 compliant LDAP server instead of the previous behavior of only supporting the schema defined in RFC2307 for LDAP user and group membership queries. 

Use one of these two commands to configure your LDAP settings:

qq ldap_set_settings
qq ldap_update_settings

To customize the LDAP user and group membership queries, include all of the following new attributes with one of the commands above: 

  • --custom-login-name-attribute: The attribute on a user object that identifies their login name. (RFC2307 attribute: uid)
  • --custom-group-member-attribute: The attribute on a group object which contains references to the members in that group. (RFC2307 attribute: memberUid)
  • --custom-user-group-identifier-attribute: The attribute on a user to which the value of the group-member-attribute on a group refers. (RFC2307 attribute: uid)
  • --custom-user-object-class: The object class for users. (RFC2307 value: posixAccount)
  • --custom-group-object-class: The object class for groups. (RFC2307 value: posixGroup)
  • --custom-group-name-attribute: The attribute on a group object that identifies their name (RFC2307 attribute: cn)
  • --custom-uid-number-attribute: The attribute on a user object which contains their uid (RFC2307 attribute: uidNumber)
  • --custom-gid-number-attribute: The attribute on an object which contains their gid (RFC2307 attribute: gidNumber)

Check out the following example to see the new attributes in action:

qq ldap_set_settings \
--use-ldap true \
--bind-uri ldap://ad-parent.eng.qumulo.com \
--base-dn "cn=Users,dc=ad-parent,dc=eng,dc=qumulo,dc=com" \
--bind-username "cn=Administrator,cn=Users,dc=ad-parent,dc=eng,dc=qumulo,dc=com" \
--bind-password a \
--encrypt-connection false \
--custom-group-member-attribute member \
--custom-group-object-class group \
--custom-login-name-attribute sAMAccountName \
--custom-user-group-identifier-attribute distinguishedName \
--custom-user-object-class user
{
"use_ldap: true,
"base_dn": "cn=Users,dc=ad-parent,dc=eng,dc=qumulo,dc=com",
"bind_uri": "ldap://ad-parent.eng.qumulo.com",
"encrypt_connection": false,
"ldap_schema": "CUSTOM",
"ldap_schema_description": {
"group_member_attribute": "member",
"group_object_class": "group",
"login_name_attribute": "sAMAccountName",
"user_group_identifier_attribute": "distinguishedName",
"user_object_class": "user"
},
"user": "cn=Administrator,cn=Users,dc=ad-parent,dc=eng,dc=qumulo,dc=com"
}

The following attributes will remain fixed at their RFC2307-defined values:

  • uidNumber: The attribute on a user object that identifies the posix uid number for that user.
  • gidNumber: The attribute on a user object that identifies the primary posix gid number for that user.
  • gidNumber: The attribute on a group object that identifies the posix gid number for that group.

Once a custom schema is configured, you can test the configuration by running the following command :

qq ldap_login_name_to_gid_numbers --login-name LDAPNAME

IMPORTANT! RFC2307 remains the default schema when no custom schema options have been supplied. If you have applied custom options and wish to revert back to the default, you can use the following command:

qq ldap_update_settings --rfc2307

RESOLUTION

You should now be able to successfully configure the schema used for LDAP user and group membership queries in Qumulo Core

ADDITIONAL RESOURCES

QQ CLI: LDAP and Certificates

 

Like what you see? Share this article with your network!

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.

Have more questions?
Open a Case
Share it, if you like it.